Project

General

Profile

Actions
Copy link

Bug #10669

closed

RGW swift API: temp url generated using x-account-meta-temp-url key is working even after the expiry time if a valid auth token is passed.

Added by Ahmad Faheem about 9 years ago. Updated about 4 years ago.

Status:
Can't reproduce
Priority:
Normal
Assignee:
Mark Kogan
Target version:
-
% Done:

0%

Source:
Q/A
Tags:
tempurl
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

In swift if temp url has expired it wont allow accessing the object even if a valid auth token is passed. But ceph is allowing it.

Steps to reproduce:
1. swift post -H "x-account-meta-temp-url-key: secret"
2. generate temp url using python script https://gist.github.com/theanalyst/c9a81e33d27f8a9bafbc. Use 30s expiry time.
3. curl -i "https://10.20.20.15:80/swift/v1/container/file1?temp_url_sig=085e9b07fa067350b66003f6913798b1ba48b9a2&temp_url_expires=1422448176"

HTTP/1.1 200 OK
Date: Wed, 28 Jan 2015 12:29:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Accept-Ranges: bytes
Last-Modified: Wed, 28 Jan 2015 12:14:54 GMT
etag: 49f68a5c8493ec2c0bf489821c21fc3b
Content-Length: 2
Access-Control-Allow-Origin: *
Content-Type: application/octet-stream
Connection: close

4. wait for temp url to get expired. check time with #date +%s and compare it with temp_url_expires value appended in temp-url.
5. curl -i "https://10.20.20.15:80/swift/v1/container/file1?temp_url_sig=085e9b07fa067350b66003f6913798b1ba48b9a2&temp_url_expires=1422448176" -H "X-Auth-Token: 265f853c5adb4f04bceecc29771d71d1"

HTTP/1.1 200 OK
Date: Wed, 28 Jan 2015 12:41:46 GMT
Server: Apache/2.4.7 (Ubuntu)
Accept-Ranges: bytes
Last-Modified: Wed, 28 Jan 2015 12:14:54 GMT
etag: 49f68a5c8493ec2c0bf489821c21fc3b
Content-Length: 2
Access-Control-Allow-Origin: *
Content-Type: application/octet-stream
Connection: close

In swift the last step will throw error "HTTP/1.1 401 Unauthorized"
curl -i "http://10.0.2.15:8080/v1/AUTH_b2419ea9588d49ddbd8c006b5eb199ff/container/file1?temp_url_sig=da84de9504608cee2217f96e3fab4c5e40922660&temp_url_expires=$expires" -H "x-auth-token: 395ba1f54f98488390c068230dd7a292"

HTTP/1.1 401 Unauthorized
Content-Length: 35
Content-Type: text/html; charset=UTF-8
Www-Authenticate: Swift realm="unknown"
X-Trans-Id: tx0bc56658087f48d483d6c-0054c84d37
Date: Wed, 28 Jan 2015 02:45:11 GMT

401 Unauthorized: Temp URL invalid

Actions
Copy link
 #1

Updated by Casey Bodley about 4 years ago

  • Status changed from New to Triaged
  • Assignee set to Mark Kogan
  • Tags set to tempurl
Actions
Copy link
 #2

Updated by Mark Kogan about 4 years ago

  • Status changed from Triaged to Can't reproduce

Tested against master

ceph --version
*** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
ceph version 13.0.0-32477-gc1f3f05011 (c1f3f050110c07afe75a5f8754ce5d627836dd26) octopus (rc)

does not reproduce.

Following the reproducer procedure outlined by OP, after 30 seconds:

curl -i "http://127.0.0.1:8000/swift/v1/sbkt/rgw-010.svg?temp_url_sig=7209936999834c5c7fcc6181981750f1f3faf6fc&temp_url_expires=1587287504" -H
 "X-Auth-Token: AUTH_rgwtk11000000636f7362656e63683a6f70657261746f72cf1f2d24e26677e4e46d9d5ed3f1920c3aa018171e5fe078968396f8f77d32f90fcca39f" 
HTTP/1.1 401 Unauthorized
Content-Length: 12
X-Trans-Id: tx000000000000000000021-005e9c1c8f-10cb-default
X-Openstack-Request-Id: tx000000000000000000021-005e9c1c8f-10cb-default
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8
Date: Sun, 19 Apr 2020 09:40:31 GMT
Connection: Keep-Alive

AccessDenied#

Actions
Copy link

Also available in: Atom PDF